b"March 30, 2001\nAudit Report No. 01-013\n\n\nExamination Assessment of Bank Secrecy\nAct Compliance\n\x0cFederal Deposit Insurance Corporation                                                                           Office of Audits\nWashington, D.C. 20434                                                                              Office of Inspector General\n\n\n\n   DATE:             March 30, 2001\n\n   TO:               Michael J. Zamorski, Acting Director\n                     Division of Supervision\n\n\n\n   FROM:             Sharon M. Smith\n                     Assistant Inspector General\n\n   SUBJECT:          Examination Assessment of Bank Secrecy Act Compliance\n                     (Audit Report No. 01-013)\n\n   This report presents the results of the Office of Inspector General\xe2\x80\x99s (OIG) audit of the Division\n   of Supervision\xe2\x80\x99s (DOS) assessment of financial institutions\xe2\x80\x99 compliance with the Bank Secrecy\n   Act (BSA). Generally, we found that DOS did not adequately document its BSA examination\n   work. Therefore, we could not always determine the extent to which DOS examiners reviewed\n   regulated institutions\xe2\x80\x99 compliance with BSA. Additionally, we found that DOS can improve the\n   planning process for the BSA examinations.\n\n\n   BACKGROUND\n\n   In 1970 the United States Congress passed the Bank Secrecy Act to aid law enforcement\n   agencies in the investigation of suspected criminal activity ranging from income tax evasion to\n   money laundering by organized crime. More recently, law enforcement agencies have found\n   BSA reports and records maintained by financial institutions extremely valuable in investigating\n   drug trafficking.\n\n   The BSA regulations require all financial institutions to maintain certain records and prepare\n   reports on cash transactions by and through financial institutions in excess of $10,000 into, out\n   of, and within the United States. Specifically, a financial institution must file a Currency\n   Transaction Report (CTR) with the Internal Revenue Service for each cash transaction over\n   $10,000 or multiple cash transactions by an individual in one business day aggregating over\n   $10,000. In addition, BSA requires financial institutions to file a Suspicious Activity Report\n   (SAR) with FinCEN when suspected money-laundering activity or BSA violations occur.1\n   Finally, the U.S. Department of the Treasury (Treasury) Office of Foreign Assets Control\n   (OFAC) promulgated regulations that require banks to identify transactions with prohibited\n\n   1\n     Treasury\xe2\x80\x99s Financial Crimes Enforcement Network (FinCEN) collects, analyzes, and shares information and provides\n   technical assistance to support law enforcement investigative efforts against domestic and international financial crimes.\n   Using BSA information reported by financial institutions, FinCEN serves as the nation\xe2\x80\x99s central clearinghouse for broad-\n   based intelligence and information sharing on money laundering that helps illuminate the financial trail for investigators\n   to follow as they track criminals and their assets. FinCEN also provides policy makers with strategic analyses of\n   domestic and worldwide money-laundering developments, trends, and patterns.\n\x0centities and notify OFAC when such transactions are attempted or completed.2 OFAC rules may\nrequire an institution to reject or freeze the funds involved in these transactions. Violations of\nBSA and OFAC recordkeeping and reporting requirements expose financial institutions to\nsubstantial penalties.\n\nThe FDIC has developed comprehensive examination procedures to determine whether financial\ninstitutions properly implemented BSA provisions and to independently identify instances of\npotential money laundering. The FDIC\xe2\x80\x99s BSA examination procedures, in the form of the BSA\nExamination Documentation (ED) Module, were jointly developed with the Federal Reserve and\nare structured in a three-tiered examination process: Core Analysis, Expanded Analysis, and\nImpact Analysis. The Core Analysis and Expanded Analysis tiers have a set of examination\nprocedures and decision factor questions. The Impact Analysis has a set of questions that\nprompts the examiner to review the impact of deficiencies identified in the Core and Expanded\nAnalysis on the institution\xe2\x80\x99s overall condition and to consider possible supervisory options. The\ndecision factors are answered based on the conclusions reached for the procedures performed\nwithin the tier. The extent to which an examiner works through each tier of analysis depends on\nthe conclusions (decision factor answers), risks, and deficiencies noted in the preceding tier. The\nresponsibility for performing the FDIC\xe2\x80\x99s BSA examinations resides with DOS, and the BSA\nexam is performed as 1 of 10 ED Modules during the safety and soundness examinations.\n\nDOS has implemented a risk-focused examination program designed to focus examination\nresources on those areas that pose the greatest risk to the insured institution. The DOS examiner\nperforms pre-examination risk scoping activities using the Risk Scoping ED Module, a critical\nelement of the safety and soundness exam as a whole. During the risk scoping and pre-\nexamination process, the examiner develops an examination plan that is commensurate with the\nlevel of risk in each functional area, including BSA, of the financial institution. The risk scoping\nassessment should determine which examination tiers will be performed as well as the extent of\nthe procedures within the tiers. The risk scoping assessment is documented in a Scope\nMemorandum.\n\nSpecifically, during DOS\xe2\x80\x99s safety and soundness examinations, the BSA examination procedures\nrequire DOS examiners to determine whether bank management:\n\xe2\x80\xa2 established adequate policies and procedures in accordance with the anti-money laundering\n   laws and regulations;\n\xe2\x80\xa2 developed a system to identify large currency deposits, including numerous small deposits\n   that, when aggregated, exceed the reporting threshold;\n\xe2\x80\xa2 identified, investigated, and reported suspicious transactions;\n\xe2\x80\xa2 assigned responsibility for ongoing compliance with the BSA and financial recordkeeping\n   regulations to a qualified and knowledgeable person;\n\xe2\x80\xa2 established an adequate ongoing BSA training program for its employees; and\n\xe2\x80\xa2 performed internal reviews and independent audits to identify potential deficiencies in the\n   BSA program.\n2\n  OFAC restricts transactions by U.S. persons or entities, located in the U.S. or abroad, with certain foreign countries,\ntheir nationals, or special designated nationals. OFAC regularly provides to banks, or banks may subscribe to certain\ndatabases or other information providers to receive, current listings of foreign countries and designated nationals that are\nprohibited from conducting business with any U.S. entity or individual.\n\n\n                                                             2\n\x0cDOS spent approximately 3 percent of its total examination time on the BSA ED Module during the\nperiod of March 31, 1999 through May 15, 2000. The percentage of time spent remained relatively\nconsistent for examinations of both large institutions with assets in excess of $1 billion and for\ninstitutions with assets of $1 billion or less. However, in certain BSA exams, we found that the\nexaminers spent additional time where risks were identified.\n\nIn the wake of a much-publicized Bank of New York money laundering scandal in 1999, the\nquestion of whether the BSA is fulfilling its mission gained renewed interest from the legislative\nand executive branches of the federal government. As recently as the fall of 1999, the Congress\nproposed legislation aimed at enhancing certain provisions of the BSA.\n\nAdditionally, the Departments of Treasury and Justice jointly issued a revised National Money\nLaundering Strategy in March 2000 assigning responsibility for implementing parts of the\nstrategy to bank regulatory agencies, including the FDIC, to enhance efforts to prevent money\nlaundering. The strategy specifically stated that regulatory agencies should continue to review\nexisting examination procedures and, where necessary, revise, develop, and implement new\nexamination procedures that will ensure that anti-money laundering supervision is risk focused.\nThe regulatory agencies were tasked with placing increased emphasis on identifying those\ninstitutions or practices that are most susceptible to money laundering. An essential part of the\nstrategy was the identification of High Intensity Money Laundering and Related Financial Crime\nAreas (HIFCAs) for 2000. The HIFCAs for 2000 are: New York/Northern New Jersey; the Los\nAngeles metropolitan area; San Juan, Puerto Rico; and the states that border Mexico (Texas,\nArizona, New Mexico, and California).\n\nRecent legislative concerns have included the effectiveness of safety and soundness examiners in\ndetecting money-laundering activities through SARs and CTRs. In September 2000 the Office\nof the Comptroller of the Currency issued new guidelines for examiners, including the\nmandatory review of SARs and related bank activities. We plan to conduct a follow-up audit\nthat will focus on the use of SARs and CTRs during FDIC\xe2\x80\x99s examination process. We will\ninclude a review of the examination procedures of other federal bank regulatory agencies in an\nattempt to identify best practices.\n\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of our audit was to determine the extent to which DOS examiners reviewed\nregulated institutions\xe2\x80\x99 compliance with the BSA during the course of the safety and soundness\nexaminations of financial institutions.\n\nTo accomplish our audit objective, the OIG interviewed DOS headquarters and Dallas, San\nFrancisco, and New York regional management personnel. We judgmentally selected and\ninterviewed field examiners who either supervised or performed BSA examination work. We\nalso reviewed the DOS Manual of Examination Policies, DOS Regional Directors Memoranda,\nFDIC Financial Institution Letters, DOS BSA training materials, and the Risk-Focusing and BSA\nED Modules to obtain an understanding of the policies and procedures that determine the scope\n\n\n\n                                                3\n\x0cand requirements for BSA examination work. Finally, we reviewed current news articles,\nproposed legislation, and other agency BSA audit reports and related documents to gain an\nunderstanding of third party concerns and viewpoints of the regulators\xe2\x80\x99 role and responsibilities\nin combating money laundering.\n\nWe reviewed 50 BSA examinations along with the related correspondence and administrative files.\nInitially, we judgmentally selected 30 examinations from the Dallas regional office based on\ninstitution size and geographic location. Based on our initial results, we judgmentally selected 20\nadditional BSA examinations performed at financial institutions in HIFCA geographic locations.\nThese 20 examinations were specifically selected from institutions located in the states that border\nMexico and the San Francisco and New York regional offices. We limited our review to the BSA\nED Module\xe2\x80\x99s first tier Core Analysis decision factors and examination procedures to focus our\nreview only on those BSA exam procedures performed at the majority of the financial institutions.\nWe reviewed the DOS BSA exam workpapers, the general safety and soundness correspondence and\nadministrative files, independent reviewer audit reports, and various FDIC and state examination\nreports.\n\nFrom the sample of 50 BSA exams, we reviewed 45 of the pre-examination Scope\nMemorandum comments relating to the BSA ED Module.3 This review was essential for\ndeveloping an understanding of the risk-scoping and pre-examination planning activities\nperformed by examiners to risk-focus the BSA exam. We also selected 10 HIFCA BSA\nexaminations in our sample of 50 to review other related ED Modules such as electronic wire\ntransfers, electronic banking, and international banking. For these 10 BSA exams we assessed\nthe extent the examination work under these other ED Modules impacted the BSA examination.\n\nWe performed fieldwork at the DOS headquarters in Washington D.C., as well as the Dallas,\nNew York, and San Francisco regional offices and at 14 field offices within those regional\noffices. We reviewed examinations performed during the period of March 31, 1999 through\nMay 15, 2000. We conducted our audit work from May 2000 through September 2000 in\naccordance with generally accepted government auditing standards.\n\n\nRESULTS OF AUDIT\n\nOur review found that DOS examiners did not adequately document their BSA work in the pre-\nexamination Scope Memorandum and ED Module. As a result, we could not always determine\nthe extent to which DOS examiners reviewed regulated institutions\xe2\x80\x99 compliance with the BSA\nduring safety and soundness examinations. We believe the BSA examinations were not\nsufficiently documented in the workpapers because examiners did not receive consistent\nguidance from management regarding what constitutes adequate documentation to support their\nscoping decisions and conclusions reached for the decision factors. Although additional formal\nexaminer training for the BSA exam is being provided in 2000/2001, the training material does\nnot clarify and reinforce DOS examination documentation requirements.\n3\n  Five exams did not have the general safety and soundness administrative files available for various reasons, i.e., state\nexaminers retained files, files were checked out for use in a current ongoing examination, etc.\n\n\n\n                                                             4\n\x0cWe also found that examiners could have improved their BSA exam planning by taking full\nadvantage of the various BSA information systems available and by clarifying the OFAC planning\nprocedure. Specifically, examiners did not consistently use the independent FinCEN examination\nsupport databases that contain information on CTRs and SARs during the examination planning\nprocess. We also found that the examiners generally did not review the OFAC listing to identify a\nfinancial institution\xe2\x80\x99s potential violations of OFAC regulations. We believe that more consistent use\nof the independent examination support databases will result in more effective identification of risks\nassociated with BSA activities at each institution. In addition, we recognize examiners are not\nrequired to compare OFAC listings with accounts at institutions under examination. However, we\nbelieve the current BSA ED Module planning procedure relating to OFAC listings needs\nclarification to ensure examiners effectively monitor an institution\xe2\x80\x99s compliance with OFAC\nregulations.\n\n\nBSA EXAM DOCUMENTATION CAN BE IMPROVED\n\nDOS management can improve the BSA exam process by ensuring that examiners adequately\ndocument both the Scope Memorandum and the ED Module. DOS policy recognizes that pre-\nexamination planning and the Scope Memorandum are critical elements in the risk-focused\nexamination process and that the ED Modules are the basis for adequate examination documentation.\nHowever, we found that DOS examiners did not adequately document the preplanning Scope\nMemorandum to describe the extent to which BSA ED Module decision factors and procedures\nwould be completed. We also found that the examiners did not consistently document the ED\nModule during the examination process in order to leave a written trail of their decisions and\nsupporting logic.\n\nWe believe these conditions existed because examiners received inconsistent guidance regarding\nwhat constituted sufficient documentation to support their scoping decisions, exam procedures, and\nanswers to the decision factors. Further, we believe a lack of formal BSA training since the three-\ntiered ED Module procedures were implemented in 1997 contributed to these inconsistencies.\nDOS\xe2\x80\x99s 2000/2001 BSA training initiative should provide examiners with an improved understanding\nof the BSA examination process. However, the training does not clarify and reinforce the DOS\nexamination documentation requirements established to identify the extent BSA procedures are\nperformed at each examination.\n\n\nScope Memorandum Did Not Adequately Document BSA Risk-Scoping Process\n\nThe BSA risk-scoping and pre-examination planning process was not adequately documented in the\nScope Memoranda we reviewed. When a Scope Memorandum is prepared in accordance with DOS\npolicy, it should provide justification for the examiner\xe2\x80\x99s decision to limit the BSA review. A Scope\nMemorandum is intended to increase the efficiency of the exam process by eliminating unnecessary\ndecision factors and examination steps.\n\n\n\n\n                                                  5\n\x0cThe BSA Core Analysis contains the standard series of examination procedures for examiners to\nconsider, but not necessarily perform, at every examination. The examiner should understand the\nunique characteristics, complexity, and risk profile at each institution in deciding which procedures\nshould be performed and which should be excluded. The Examiner-in-Charge (EIC) is responsible\nfor developing a pre-examination plan commensurate with the level of risk in each ED Module,\nincluding the BSA Module. This pre-examination plan is developed to justify the scope of\nprocedures performed during the exam. DOS policy states that examiners may omit procedures\nwhen risk-scoping indicates either low materiality or an insignificant level of risk as long as the EIC\nprepares a Scope Memorandum justifying the decision. According to DOS policy, the memorandum\nshould explain the reasons for setting/establishing the scope of the examination for each ED Module.\n\nRegional Directors Memorandum 99-011 (RD 99-011) dated March 23, 1999 entitled Risk-Focused\nExamination Program \xe2\x80\x93 Documentation Requirements provided examiners greater flexibility by no\nlonger requiring that they answer all decision factors in the ED Modules. The BSA ED Module\nincludes six Core Analysis decision factors that represent the examiner\xe2\x80\x99s summary conclusions of\nthe Core Analysis procedures performed. RD 99-011 states that the examiner does not have to\nanswer those decision factors when the examiner decides an answer is not needed due to risk-\nscoping. The basis for this decision is to be documented in the Scope Memorandum. RD 99-011\nalso states that when a decision factor can be answered \xe2\x80\x9cyes\xe2\x80\x9d during the risk-scoping process, no\nfurther comments are necessary in the ED Module because the supporting comments are included in\nthe Scope Memorandum. However, for the portions of the BSA ED Module where risks are deemed\nsignificant or poorly controlled, RD 99-011 requires the examiner to perform Core Analysis\nprocedures and document conclusions. The DOS examination manual requires the examiner to\nanswer \xe2\x80\x9cyes\xe2\x80\x9d or \xe2\x80\x9cno\xe2\x80\x9d for the related decision factors with high risk and provide supporting\ndocumentation for each answer. The documentation to support the decision factors is completion of\nthose required Core Analysis procedures that are performed based on the risk-scoping decisions\ndocumented in the Scope Memorandum.\n\nOur review of 45 Scope Memoranda indicated that for the majority of examinations the examiners\ndid not adequately document the risk-scoping activities related to the BSA ED Module as required\nby RD 99-011. We typically found that the Dallas region examiners printed out the Risk-Scoping\nED Module and used it as a checklist in the pre-planning process rather than providing answers to\nthe risk-scoping exam procedures to support comments in the Scope Memorandum. We found that\nthe New York and San Francisco region examiners did complete the Risk-Scoping ED Module, but\ndid not always provide comments in the Scope Memorandum to document the risk-scoping activities\nof the BSA ED Module.\n\nFor 41 of the 45 (91 percent) Scope Memoranda we reviewed, examiners did not provide specific\ninformation commenting on risk-scoping the BSA examination. Some memoranda contained\ngeneral comments, such as, \xe2\x80\x9cCore analysis procedures will be performed for all 10 primary\nmodules,\xe2\x80\x9d \xe2\x80\x9cAll applicable examination modules will be completed\xe2\x80\xa6risk focused procedures will be\nimplemented where possible,\xe2\x80\x9d or \xe2\x80\x9cBank Secrecy Act will be reviewed utilizing the Core Analysis\nDecision Factors.\xe2\x80\x9d In other memoranda we found more specific BSA comments addressing the\nscope of the BSA exam. However, these memoranda were also general in nature and clearly did not\nindicate the areas of risk where further analysis by the examiner was necessary. These memoranda\nstated that either normal BSA procedures would be performed, or the BSA exam would be risk-\n\n\n\n                                                  6\n\x0cfocused with Core Analysis procedures performed, or the BSA exam would receive a full-scope\nreview.\n\nThe remaining 4 of the 45 Scope Memoranda were adequately documented to show the scope of the\nBSA exam. These four exams were all performed by New York region examiners. It was evident in\nthe four adequately documented memoranda that the examiners used the information provided by the\nregional BSA Subject Matter Expert to scope the BSA work.4 Overall, when examiners did not\nprovide comments to specific procedures in the BSA ED Module, we seldom found related\ncomments in the Scope Memoranda to justify why the procedures were not performed.\n\nRD 99-011 considers the BSA Core Analysis procedures as a requirement that must be completed at\nevery examination. However, the DOS policy also provides guidance to the examiners for risk-\nscoping the BSA Module. For example, when the institution\xe2\x80\x99s BSA policies have not changed from\nthe previous examination, the DOS policy does not require the examiners to review the BSA\npolicies. Because examiners generally did not document the pre-examination assessment of the BSA\nrisk areas in the Scope Memoranda, we were not able to determine how the DOS examiners\nassessed the risks to limit the BSA examination procedures performed or determined which decision\nfactors would be answered.\n\nAlthough the risk-focused approach to examining financial institutions has been improving since its\ninception in October 1997, we found that examiners do not fully document the pre-planning process\nfor the BSA examination. The examiner misunderstandings and uncertainties regarding\ndocumentation in the pre-planning process were first reported in our report entitled Audit of\nImplementation of the DOS Risk-Focused Examination Process, dated November 5, 1998. DOS\nresponded to our audit findings by issuing Regional Directors Memorandum 98-100, dated\nDecember 16, 1998, which reinforced guidance on pre-planning and documentation of ED Modules.\nFollowing the issuance of this new guidance, we performed a second review of the pre-planning and\ndocumentation of ED Modules. In our report entitled Follow-up Audit of Implementation of the DOS\nRisk-Focused Examination Process, dated May 2000, we reported improvements in risk focusing,\nbut we also noted inconsistent documentation of the modules. Although the follow-up audit report\nstated that the examiners had improved their risk-focusing approach in the safety and soundness\nexamination overall, we found in our current detailed review of risk-focusing the BSA examination\nthat examiners were not fully following DOS policy. Accordingly, we believe DOS needs to\nreinforce the risk-focusing process to the examiners performing BSA examinations.\n\nDOS management told us that a new BSA examiner training initiative was implemented in the fall of\n2000. We believe the examiners will benefit from this training initiative. However, the training\ncurriculum does not stress the importance of documenting the pre-examination assessment of BSA\nrisks in the Scope Memorandum as required by RD 99-011. The BSA examination documentation\nrequirements need to be addressed and corrected for DOS management to better understand the BSA\nrisks at each financial institution. By requiring better documentation during the preplanning process\non which BSA exam procedures will be performed, DOS can ensure that its staffing resources are\nmore effectively used for the entire safety and soundness exam.\n\n4\n These regional examiners are considered to have special knowledge in BSA matters and may be used as a resource by\nother examiners. Some DOS regional offices refer to these experts as Fraud Specialists or Special Activities Case\nManagers. Further, certain DOS field offices also have designated staff as BSA Subject Matter Experts.\n\n\n                                                         7\n\x0cBSA ED Modules Not Adequately Documented\n\nAfter completion of the risk-scoping process, the examiners did not adequately document the\nprocedures performed in the BSA ED Module. The DOS Manual of Examination Policies requires\nexaminers to sufficiently document procedures performed and conclusions reached in their\nworkpapers. However, because the examiners did not consistently document the work performed\nand the decisions reached during their BSA examinations of financial institutions, we were not able\nto determine the basis for the examiners\xe2\x80\x99 conclusions regarding an institution\xe2\x80\x99s BSA compliance.\nAs previously noted, DOS examiners should rely on the Scope Memorandum to establish the\ndecision factors and related procedures to be completed during the BSA examination. Once all\nnecessary steps are determined during the risk-focused pre-examination process, the DOS\nexamination manual states that the documentation requirement can be met through the use and\ncompletion of the ED Module. According to the manual, the examiner\xe2\x80\x99s workpapers should include\na summary of the procedures performed at each examination. The use and completion of the ED\nModule procedures meet the workpaper requirement. The workpapers should also include a brief\nsummary of the basis for conclusions reached. This workpaper summary requirement is satisfied by\nuse of the ED Module decision factors. Based on our review of the 50 BSA exam files, we found no\nother form of workpaper documentation to support BSA work performed. In most of the BSA\nexaminations we reviewed, Core Analysis procedures were needed to support the examiners\xe2\x80\x99\nanswers to the Core Analysis decision factors because the Scope Memorandum did not document the\nelimination of any decision factors or procedures.\n\nWe reviewed 50 BSA examination files covering 14 field offices in three regions (33 in Dallas,\n8 in New York, and 9 in San Francisco). We found that each BSA file contained fairly\nconsistent documents that were obtained from the financial institution. The file documentation\nusually included copies of the institution\xe2\x80\x99s anti-money laundering policies and procedures,\nreports of independent or internal audit review of these policies and procedures and testing of the\nrelated controls, employee training materials and rosters, and other miscellaneous BSA-related\nmaterials. These documents were incorporated in the files as the basis for answering the Core\nAnalysis procedures that would support the decision factor conclusions.\n\nOur review found that Scope Memoranda did not generally provide sufficient documentation to\nsupport eliminating BSA ED Module decision factors or procedures. Therefore, we reviewed the\ncompletion of the BSA ED Module and workpaper documentation to determine the exam procedures\nperformed and decision factors answered for all 50 examinations in our sample. Although\ncompletion of the ED Module was intended to serve as adequate documentation for work performed,\nour review of the BSA workpapers found that in 22 percent of the examinations, the Core Analysis\ndecision factor responses were not documented. Further, we found that 48 percent of the Core\nAnalysis exam procedures were not documented. We considered the decision factor and/or\nprocedure as not documented when the examiner did not provide any answer to the procedure,\nsimply placed a check mark by the procedure, or wrote \xe2\x80\x9cN/A\xe2\x80\x9d with no additional comments.\n\nAn example of where documentation can be improved was in our review of the internal\naudit/independent review of BSA compliance. Each financial institution is required to have an\nannual independent BSA compliance review, and one of the examination decision factors asks: \xe2\x80\x9cIs\nthe scope of the internal audit/independent review appropriate?\xe2\x80\x9d To evaluate this decision factor, we\n\n\n\n                                                 8\n\x0creviewed the scope statement of the independent reviewer\xe2\x80\x99s report for 455 of the 50 BSA files in our\nsample. We found that 13 reviews were performed by external parties and 32 were performed\ninternally by financial institution personnel. The results were consistent for both types of reviews:\nthat is, 20 scope statements (5 external and 15 internal reviews) in the independent reviewer reports\ndid not adequately show review coverage of the BSA compliance issues noted in the Core Analysis\nprocedures. Specifically, the BSA exam files relating to these 20 reports were not adequately\ndocumented to show what steps the examiner performed or how a decision was reached on the\nappropriateness of the independent reviewer\xe2\x80\x99s scope. Our interviews with examiners indicated that\nexaminers typically limit their review to reading the independent reviewer\xe2\x80\x99s report. The examiners\nseldom review the independent reviewer\xe2\x80\x99s workpapers to determine the scope of their review. We\nconsider these annual independent compliance reviews to be especially important when the FDIC\nshares examination responsibility with the states because some states consider the BSA exam to be a\nfederal compliance issue and therefore do not perform the BSA review.\n\nWe believe these documentation deficiencies occurred because examiners received inconsistent\nguidance regarding the discretion they have in determining what constitutes sufficient documentation\nto support their decisions. Our interviews disclosed that many examiners believed that responses to\ndecision factor questions could be limited to a \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d response, regardless of what was\ncontained in the Scope Memorandum. However, RD 99-011 states that \xe2\x80\x9cYes\xe2\x80\x9d or \xe2\x80\x9cNo\xe2\x80\x9d responses to\ndecision factors are only acceptable if supporting comments are contained in the Scope\nMemorandum. Further, many examiners said that they are instructed to always complete the Core\nAnalysis. RD 99-011 states that Core Analysis decision factors and procedures may be omitted\nwhen the risk scoping indicates a lack of materiality or an insignificant level of risk. We believe\nexaminers\xe2\x80\x99 lack of formal BSA training since implementation of the ED Modules in 1997 may have\ncontributed to the inconsistencies as to what constituted adequate documentation. Although DOS\nmanagement implemented a BSA training initiative for 2000/2001, the training material does not\nclarify and reinforce the BSA documentation requirements.\n\n\nBSA CORE ANALYSIS PLANNING CAN BE IMPROVED\n\nDOS management can improve the planning for the BSA ED Module by ensuring examiners take\nfull advantage of the BSA information systems available and clarifying the OFAC planning\nprocedure. Current DOS policy recognizes pre-examination planning as a critical element in the\nrisk-focused examination process. However, we found examiners were not consistently using the\nindependent FinCEN support databases that contain information on CTRs and SARs during the BSA\nexamination planning process. We believe more consistent use of these independent databases will\nresult in more effective identification of risks associated with BSA activities at each institution. We\nalso found that the examiners generally did not adequately perform the BSA planning procedure that\nrequired the examiner to review the OFAC listing to identify a financial institution\xe2\x80\x99s potential\nviolations of OFAC regulations. We believe the current BSA ED Module planning procedure\nrelating to the OFAC listing needs clarification to ensure examiners effectively monitor an\ninstitution\xe2\x80\x99s compliance with OFAC regulations.\n\n5\n  For the other five files, one BSA file was lost, one BSA file indicated the institution was cited by examiners for\ninadequate testing by the independent reviewer but the file did not have documentation to support that an independent\nreview was performed, and three BSA files indicated no independent review was performed at the financial institution.\n\n\n                                                           9\n\x0cAs discussed earlier, at the field offices we visited, we found that DOS examiners did not\nconsistently perform the BSA Core Analysis planning procedures. The Dallas and San Francisco\nDOS regional examiners did not perform three of the eight BSA ED Module planning procedures.\nHowever, the New York DOS region examiners did perform all eight planning procedures. Two of\nthe three planning procedures that Dallas and San Francisco did not perform related to the review of\nthe SAR and CTR independent databases, and the third procedure related to review of the OFAC\nlisting to identify which institutions had potential violations of OFAC regulations.\n\nThe Dallas and San Francisco regional examiners we interviewed generally told us that they had\nsufficient knowledge of the individual banks they have responsibility to examine and therefore did\nnot need to perform the SAR, CTR, and OFAC planning procedures. The examiners explained that\naccess to the CTR and SAR databases is limited to the regional BSA Subject Matter Experts, and the\nprocess for requesting and receiving the data is not efficient. The examiners also stated that they\ngenerally performed more efficient alternative exam procedures at the financial institutions by\nrequesting and using copies of CTR and SAR listings prepared by the financial institutions. Further,\nthe examiners told us that, generally, the OFAC planning procedure was limited to an inquiry to\nensure the institution\xe2\x80\x99s management was aware of the OFAC listing. The examiners generally do\nnot review the OFAC listing to determine whether potential OFAC violations have occurred as\nstated in the BSA module planning procedure.\n\nWe noted during our visit to the New York DOS regional office that management had designated a\nfraud specialist to track the examination start dates. Prior to the start date for each exam, the fraud\nspecialist prepared a report of the FinCEN system SARs and CTRs to meet the BSA ED Module\nplanning requirements. This report was sent to the EIC for use in pre-planning the BSA\nexamination. The report provided a 3-year history of SARs and CTRs filed at the financial\ninstitution and indicated whether the institution had significant changes in the volume of SAR and\nCTR filings since the previous examination as well as whether any suspicious or alleged illegal\nactivity had occurred. The EIC could then use the report to determine whether the scope of the BSA\nexamination should be altered.\n\nThe fraud specialist in the New York regional office also prepared summary reports by institution\nand field office. The summary reports provided the Field Office Supervisors with 5-year histories of\nSAR and CTR filings and identified whether an institution was located in a High-Intensity Drug\nTrafficking Area. The New York regional fraud specialist also provided field offices with tracking\nreports on suspicious activities when the financial institutions had not filed a SAR.\n\nThe New York regional examiners we interviewed said their examination of OFAC was limited to\ndetermining whether the financial institution was aware of the OFAC listing and whether the\ninstitution used OFAC software to comply with the OFAC regulations. The New York examiners\nalso said they seldom planned tests for identifying potential OFAC violations as indicated in the\nplanning procedure.\n\nWe believe the New York region BSA planning procedure is an efficient risk-focused examination\npractice and a good off-site BSA monitoring tool for SAR and CTR information. As such, we\nbelieve DOS regional management can improve BSA examinations by providing Dallas and San\n\n\n\n\n                                                  10\n\x0cFrancisco regional examiners SAR and CTR reports similar to those used by New York regional\nexaminers.\n\nDOS management should also consider whether field examiners are effectively performing the\nOFAC planning procedure to ensure that financial institutions comply with OFAC regulations. We\nrecognize that DOS policy does not require examiners to compare the OFAC listing with accounts at\ninstitutions under examination. However, examiners should ensure that financial institutions have\npolicies and procedures in place to monitor compliance with OFAC regulations. The BSA Core\nAnalysis has two additional procedures that address the adequacy of the bank\xe2\x80\x99s policies and the\nindependent review of OFAC compliance. However, based on interviews with the examiners and\nlack of documentation of the BSA exam procedures, we could not always determine whether the\nexaminer ensured adequate controls were in place to monitor OFAC compliance. We believe OFAC\nplanning could be improved by having DOS management clarify the intent of the OFAC planning\nprocedure in the BSA ED Module. The procedure should explain the type of review of the OFAC\nlisting the examiner is expected to perform in order to identify potential OFAC violations. We\nbelieve the examiners should document whether an institution\xe2\x80\x99s independent reviewer actually tested\nfor OFAC compliance and assess whether the examiner should independently perform OFAC\ntesting.\n\n\nCONCLUSION AND RECOMMENDATIONS\n\nAlthough the Treasury and Justice Departments lead the law enforcement effort to combat money\nlaundering, the federal financial regulatory agencies, such as the FDIC, are responsible for the\nexamination of financial institutions to ensure these institutions have created effective internal\ncontrol systems to detect potential money laundering. Money laundering is on the rise and,\ntherefore, has heightened the concern of the Congress regarding the effectiveness of BSA\nexaminations. In response to this concern, DOS management can improve the overall BSA exam\nprocess. Improving the overall BSA exam process through consistent planning and documentation\nof the ED module will result in exams that are more effectively performed by the FDIC and are more\nresponsive to concerns of external third parties. Better planning and documentation will also help\nnew examiners learn the institutions\xe2\x80\x99 risks and examination process quicker, ensure effective\ncontrols are in place for the examination process, aid law enforcement agencies in their efforts to\ncombat money laundering, better protect the FDIC\xe2\x80\x99s reputation, and maintain public confidence.\n\nAlthough new BSA training is being provided to the examiners, we believe additional training or\ninstructions will be necessary relating to planning and documenting the BSA examination process.\nAs part of that training, DOS management needs to better communicate its expectations regarding\nthe use of the BSA Scoping Memorandum and ED Module.\n\nAccordingly, we recommend that the Acting Director, DOS:\n\n(1)   Reinforce and ensure that the specific guidance for DOS examiners to follow when risk-\n      focusing BSA examinations\xe2\x80\x94including documentation requirements of scoping decisions,\n      procedures to be performed, and conclusions reached during the pre-examination process is\n      followed.\n\n\n\n                                               11\n\x0c(2)   Reinforce and ensure that the DOS policy and instructions that describe adequate\n      documentation of the BSA ED Module decision factors and procedures are followed.\n\nThese two recommendations could be accomplished through ongoing training and quality reviews of\nexaminers\xe2\x80\x99 work.\n\nWe further recommend that the Acting Director, DOS:\n\n(3)   Implement in other DOS regional offices the New York region\xe2\x80\x99s practice of assigning a\n      regional examination specialist to provide CTR and SAR system reports to field examiners for\n      the risk-focusing and pre-planning process of the BSA examination.\n\n(4)   Evaluate the effectiveness and implementation of the BSA ED Module planning procedure\n      relating to the examiner\xe2\x80\x99s review of the OFAC listing of prohibited entities in order to identify\n      potential violations of OFAC regulations.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn March 23, 2001, the Acting Director, DOS, provided a written response to the draft report,\nagreeing with the intent of our recommendations. The Corporation\xe2\x80\x99s response provided us with\nthe requisite elements of a management decision on all recommendations. The Acting Director\xe2\x80\x99s\nresponse is presented as Appendix 1 to this report. The Acting Director\xe2\x80\x99s response to\nrecommendations 1 and 2 along with our analysis follows. We did not summarize the response\nto recommendations 3 and 4 because the actions planned are identical to those recommended.\n\nReinforce and ensure that the specific guidance for DOS examiners to follow when risk-\nfocusing BSA examinations-including documentation requirements of scoping decisions,\nprocedures to be performed, and conclusions reached during the pre-examination process, is\nfollowed (recommendation 1): The Acting Director stated that \xe2\x80\x9cBecause the Department of the\nTreasury has delegated to us the responsibility for ensuring compliance with the BSA . . . we require\nthe six core decision factors to be answered at every examination.\xe2\x80\x9d The Acting Director also stated\nthat \xe2\x80\x9cWe have just completed revisions to the BSA Module for inclusion in the next release of ED\nupdates . . . we will reemphasize our existing policies requiring all of the BSA core decision factors\nto be answered at each examination.\xe2\x80\x9d\n\nWe recognize that the requirement for all of the BSA core decision factors to be answered essentially\nremoves the requirement for BSA scoping decisions or any mention of BSA in the Scope\nMemorandum. We accept this alternative procedure as a valid alternative to the current guidance on\nrisk-focused examination documentation requirements. Therefore, we consider the Acting\nDirector\xe2\x80\x99s response to provide the necessary requisites for a management decision.\n\nReinforce and ensure that the DOS policy and instructions that describe adequate\ndocumentation of the BSA ED Module decision factors and procedures are followed\n(recommendation 2): The Acting Director stated that \xe2\x80\x9cWe will reemphasize current guidance\nregarding the mandatory completion of the core decision factors and the optional use of core analysis\nprocedures when we release revisions to the BSA module, no later than July 31, 2001.\xe2\x80\x9d\n\n\n                                                 12\n\x0cTo the extent that this new guidance will emphasize the current requirement to identify in the\nexaminer workpapers which core procedures the examiner opted to perform and the basis of\nconclusions reached, i.e., answers to the core decision factors, the planned corrective action\naddresses our recommendations. This information is necessary to provide the written trail of\ndecisions and supporting logic required. Therefore, we consider the Acting Director\xe2\x80\x99s response to\nprovide the necessary requisites for a management decision.\n\nWe understand that DOS is reassessing examination scoping and documentation requirements in the\ncourse of its Process Redesign project. We will review DOS\xe2\x80\x99s revised BSA guidance before it is\nissued to ensure it addresses our concerns and is consistent with the Process Redesign results.\n\n\n\n\n                                                13\n\x0c                                                                                     APPENDIX I\n                                           CORPORATION COMMENTS\n\nFederal Deposit Insurance Corporation\n550 17th Street NW, Washington, DC 20429                                         Division of Supervision\n\n\n\n\nDate:               March 23, 2001\n\nTo:                 Sharon M. Smith\n                    Assistant Inspector General\n\n\nFrom:               Michael J. Zamorski\n                    Acting Director\n\nSubject:            Draft Report Entitled Examination Assessment of Bank Secrecy Act Compliance\n\n\nThe Division of Supervision (DOS) appreciates the opportunity to respond to the subject Draft\nReport prepared by the FDIC's Office of Inspector General (OIG). Among other things, the\nDraft Report indicates that Congress has become increasingly concerned about Bank Secrecy Act\n(BSA) compliance. The Draft Report also indicates that the OIG believes that DOS did not\nadequately document our BSA work and that the planning process for BSA examinations can be\nimproved.\n\nWe agree that recent high profile money laundering cases have highlighted the importance of a\nsound BSA program in financial institutions. We also recognize that opportunities exist to\nimprove the effectiveness of our BSA examination program, and we will take appropriate steps\nto implement OIG's recommendations. We do believe that for the vast majority of institutions,\nBSA compliance is a low risk area. Our outstanding guidance for risk-focused examinations\ndifferentiates between high risk and low risk areas. Accordingly, we fully utilize risk-focused\nprocedures in our BSA examinations, which procedures include streamlined documentation.\n\nAlso, as you know, we are currently reviewing our examination processes as part of our ongoing\nProcess Redesign project. That project is nearly complete (March 31, 2001 completion deadline\nfor submitting recommendations to me) and involves a thorough assessment of DOS's\nsupervisory processes with a goal of identifying ways to improve and streamline them. The\nrecommendations from this initiative may impact our policies and requirements in this area;\nchanges will not be made without prior consultation and discussion with the OIG.\n\n\n\n\n                                                  14\n\x0c(1)   Reinforce and ensure that the specific guidance for DOS examiners to follow when\n      risk-focusing BSA examinations---including documentation requirements of scoping\n      decisions, procedures to be performed, and conclusions reached during the pre-\n      examination process, is followed.\n\n      Our guidance on the use of the ED modules was disseminated in Regional Director\n      Memorandum number 99-011, \xe2\x80\x9cRisk-Focused Examination Documentation\n      Requirements,\xe2\x80\x9d (RD 99-011). The ED modules offer flexibility to the Examiner-in-\n      Charge to determine the extent of activities for \xe2\x80\x9cPre-examination Planning.\xe2\x80\x9d The Risk\n      Scoping Module provides some broad overall guidance for these activities.\n\n      Under current guidance, all the Primary Modules (which include the BSA Module) are to\n      be used on all examinations, and all the core decision factors are to be answered, unless\n      the Scope Memorandum prescribes that the area can be limited and explains the reasons\n      for the limited scope. Because the Department of the Treasury has delegated to us the\n      responsibility for ensuring compliance with the BSA by our supervised banks, and\n      because we are mandated to report to Treasury any noted violations or enforcement\n      actions we take, we require the six core decision factors to be answered at every\n      examination. Therefore, the scope of the BSA examination would generally not be\n      mentioned in the Scope Memorandum.\n\n      We have just completed revisions to the BSA Module for inclusion in the next release of\n      ED updates. In conjunction with the release of those modules, we will reemphasize our\n      existing policies requiring all of the BSA core decision factors to be answered at each\n      examination. We expect to issue this guidance no later than July 31, 2001 (we hope to\n      issue this sooner, but timing is related to the release of the general ED updates).\n\n\n\n(2)   Reinforce and ensure that the DOS policy and instructions that describe adequate\n      documentation of the BSA ED Module decision factors and procedures are followed.\n\n      RD 99-011 requires that the six core decision factors are required to be answered at each\n      examination. However, under this guidance, the core analysis procedures are not\n      required to be answered at each examination. Core analysis procedures are various tasks\n      that could be performed to arrive at answers to the core decision factors. Management\n      intended that the core decision factors could be answered without completing the core\n      analysis procedures, leaving completion of the core analysis procedures to the examiner's\n      discretion. We will reemphasize current guidance regarding the mandatory completion of\n      the core decision factors and the optional use of core analysis procedures when we\n      release revisions to the BSA module, no later than July 31, 2001 (we hope to issue this\n      sooner, but timing is related to the release of the general ED updates).\n\n\n\n\n                                             15\n\x0c(3)   Implement in other DOS regional offices the New York region's practice of\n      assigning a regional examination specialist to provide CTR and SAR system reports\n      to field examiners for the risk-focusing and pre-planning process of the BSA\n      examination.\n\n      We agree with this recommendation and will issue guidelines to the regional office\n      specialists no later than July 31, 2001.\n\n\n(4)   Evaluate the effectiveness and implementation of the BSA ED Module planning\n      procedure relating to the examiner's review of the OFAC listing of prohibited\n      entities in order to identify potential violations of OFAC regulations.\n\n      We concur with this recommendation. The real intent of the examination procedures is to\n      ensure that banks are aware of the OFAC requirements and have taken steps to\n      implement appropriate policies and procedures to ensure compliance and to try to identify\n      parties subject to the OFAC regulations. In our next ED Module revision, which will be\n      issued no later than July 31, 2001 we will have reworded the OFAC procedures to clarify\n      the examiner\xe2\x80\x99s responsibilities.\n\n\n\n\n                                             16\n\x0c                                                                                                                                APPENDIX II\n                                       MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance,\nseveral conditions are necessary. First, the response must describe for each recommendation\n\n   ! the specific corrective actions already taken, if applicable;\n   ! corrective actions to be taken together with the expected completion dates for their implementation; and\n   ! documentation that will confirm completion of corrective actions.\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons\nfor any disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\n\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions.\nThe information for management decisions is based on management\xe2\x80\x99s written response to our report.\n\n\n\n\n                                                                      17\n\x0c                                                                                         Documentation                    Management\n Rec.                                                              Expected             That Will Confirm      Monetary   Decision: Yes\nNumber     Corrective Action: Taken or Planned/Status           Completion Date           Final Action         Benefits      or No\n         The Acting Director, DOS, will require that all BSA\n         Core Decision Factors be answered at every\n         examination. Therefore, the scope of the BSA\n                                                               No later than July 31,      Directive or\n  1      examination will generally not be mentioned in the                                                      N/A          Yes\n                                                                       2001                Memorandum\n         Scope Memorandum. DOS will issue guidance to\n         reemphasize that all of the BSA core decision\n         factors are to be answered at each examination.\n         The Acting Director, DOS, will reemphasize current\n         guidance regarding the mandatory completion of all\n         core decision factors at each examination and\n         optional use of core analysis procedures. To the\n         extent that this guidance will emphasize the          No later than July 31,      Directive or\n  2                                                                                                              N/A          Yes\n         requirement to identify which core procedures the             2001                Memorandum\n         examiner opted to perform and the basis of\n         conclusions reached, i.e., answers to the core\n         decision factors, the planned corrective action\n         addresses our recommendations.\n                                                                                            Directive or\n         The Acting Director, DOS, agreed with the\n                                                               No later than July 31,   Memorandum issued\n  3      recommendation. DOS will issue guidelines to                                                            N/A          Yes\n                                                                       2001              to regional office\n         regional examination specialists.\n                                                                                             specialist\n         The Acting Director, DOS, agreed with the\n                                                                                        Modified language in\n         recommendation. DOS will reword the OFAC              No later than July 31,\n  4                                                                                       future BSA ED          N/A          Yes\n         procedures in its next BSA ED Module revision to              2001\n                                                                                              Module\n         clarify the examiner\xe2\x80\x99s responsibilities.\n\n\n\n\n                                                                         18\n\x0c"